MISCELLANEOUS CYBERSECURITY NEWS:

Industry launches hacking policy council, legal defense fund to support security research and disclosures - Google and other companies will develop and stand up a pair of new initiatives that will provide policy guidance to governments and legal protection to security researchers engaged in “good faith” vulnerability research and disclosure, while the tech giant also said it would formalize an internal policy to be publicly transparent when bugs in Google products are exploited in the wild. https://www.scmagazine.com/news/leadership/hacking-policy-council-launched-to-support-security-research-and-disclosures

Why does it take so long for security teams to remediate vulnerabilities? - Recent analysis of about 1,000 companies found just 13% of vulnerabilities observed were remediated and took an average of 271 days for security teams to address them. https://www.scmagazine.com/perspective/vulnerability-management/why-does-it-take-so-long-for-security-teams-to-remediate-vulnerabilities

CISA, Others Unveil Guide for Secure Software Manufacturing - The United States and half a dozen other countries sought to reverse decades of tech industry attitudes in a Thursday document pleading with manufacturers to make cybersecurity a core business goal. https://www.govinfosecurity.com/cisa-others-unveil-guide-for-secure-software-manufacturing-a-21673

How insecure is America's FirstNet emergency response system? Seriously, anyone know? - AT&T is "concealing vital cybersecurity reporting" about its FirstNet phone network for first responders and the US military, according to US Senator Ron Wyden (D-OR), who said the network had been dubbed unsafe by CISA. https://www.theregister.com/2023/04/12/firstnet_cybersecurity_audit_wyden/

SEC targets cloud, key securities firms in latest regulatory broadside - The Securities and Exchange Commission is seeking to broaden the range of companies in the securities market that would be subject to stricter regulations for compliance and integrity of their information systems, while proposing a host of new requirements for those businesses around cybersecurity and their use of third-party cloud providers. https://www.scmagazine.com/analysis/business-continuity/sec-targets-cloud-key-securities-firms-regulatory-broadside

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Ransomware strikes POS platform used by NCR’s customers in hospitality industry - NCR disclosed on Saturday that it was hit with a ransomware attack on its Aloha point-of-sale (POS) platform targeted towards the company’s hospitality and restaurant customers. https://www.scmagazine.com/news/ransomware/ransomware-strikes-pos-platform-ncr

HHS Cybersecurity Task Force Releases New Resources to Address Rise in Healthcare Cyberattacks - Led by the HHS 405(d) Program and the HSCC CWG, the new resources include an update to the HICP and an educational platform offering healthcare cybersecurity trainings. https://healthitsecurity.com/news/hhs-cybersecurity-task-force-releases-new-resources-to-address-rise-in-healthcare-cyberattacks

Payments Giant NCR Hit by Ransomware - NCR first reported investigating an “issue” related to its Aloha restaurant point-of-sale (PoS) product on April 12. On April 15, the company said a limited number of ancillary Aloha applications for a subset of its hospitality customers had been impacted by an outage at a single data center. https://www.securityweek.com/payments-giant-ncr-hit-by-ransomware/

German arms manufacturer Rheinmetall confirms cyberattack - German automotive and arms manufacturer Rheinmetall suffered a cyberattack on Friday, the company said. https://therecord.media/rheinmetall-cyberattack-germany-arms-manufacturer

DC Health Link says human error led to Congress members’ stolen data - Newly released details into the hack of DC Health Link Exchange in early March show the hack was caused by an employee error: a misconfigured server allowed access without authentication and led to the theft of two reports. https://www.scmagazine.com/news/incident-response/dc-health-link-says-human-error-led-to-congress-members-stolen-data

Return to the top of the newsletter

WEB SITE COMPLIANCE - Truth in Lending Act (Regulation Z)
  
  The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.
  
  Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

Return to the top of the newsletter

FFIEC IT SECURITY - We begin a new series  from the FDIC "Security Risks Associated with the Internet."  While this Financial Institution Letter was published in December 1997, the issues still are relevant.
   
   This FDIC paper alerts financial institutions to the fundamental technological risks presented by use of the Internet. Regardless of whether systems are maintained in-house or services are outsourced, bank management is responsible for protecting systems and data from compromise.
   
   Security Risks 
   
   The Internet is inherently insecure. By design, it is an open network which facilitates the flow of information between computers. Technologies are being developed so the Internet may be used for secure electronic commerce transactions, but failure to review and address the inherent risk factors increases the likelihood of system or data compromise. Five areas of concern relating to both transactional and system security issues, as discussed below, are: Data Privacy and Confidentiality, Data Integrity, Authentication, Non-repudiation, and Access Control/System Design. 
   
   Data Privacy and Confidentiality 
   
   Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be monitored or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, or loans) or passwords. 
   
   Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 4 - COMMON THREATS: A BRIEF OVERVIEW
  
  Computer systems are vulnerable to many threats that can inflict various types of damage resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers. Losses can stem, for example, from the actions of supposedly trusted employees defrauding a system, from outside hackers, or from careless data entry clerks. Precision in estimating computer security-related losses is not possible because many losses are never discovered, and others are "swept under the carpet" to avoid unfavorable publicity. The effects of various threats varies considerably: some affect the confidentiality or integrity of data while others affect the availability of a system.
  
  This chapter presents a broad view of the risky environment in which systems operate today. The threats and associated losses presented in this chapter were selected based on their prevalence and significance in the current computing environment and their expected growth. This list is not exhaustive, and some threats may combine elements from more than one area. This overview of many of today's common threats may prove useful to organizations studying their own threat environments; however, the perspective of this chapter is very broad. Thus, threats against particular systems could be quite different from those discussed here.
  
  To control the risks of operating an information system, managers and users need to know the vulnerabilities of the system and the threats that may exploit them. Knowledge of the threat environment allows the system manager to implement the most cost-effective security measures. In some cases, managers may find it more cost-effective to simply tolerate the expected losses. Such decisions should be based on the results of a risk analysis.